netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[PATCH] Fix X.25 use after free.

from [Stephen Hemminger] [Permanent Link][Original]
To: Henner Eisen <eis@xxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxx>
Subject: [PATCH] Fix X.25 use after free.
From: Stephen Hemminger <shemminger@xxxxxxxx>
Date: Tue, 5 Aug 2003 15:01:10 -0700
Cc: linux-x25@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx
Organization: Open Source Development Lab
Sender: netdev-bounce@xxxxxxxxxxx 
The conversion from cli/sti to locking in X.25 must not have been tested
on a real SMP with memory debugging enabled.  It OOPS right away if
I do:
        modprobe x25; ifconfig -a

The problem is that it dereferences the socket after it has already been
freed.  The fix for this is to make the call to sock_put, later in
x25_destroy_socket do the free.  Also, need a go to avoid references
in x25_release.

This patch is against 2.6.0-test2.
diff -urNp -X dontdiff net-2.5/net/x25/af_x25.c linux-2.5-net/net/x25/af_x25.c
--- net-2.5/net/x25/af_x25.c    2003-08-01 11:12:02.000000000 -0700
+++ linux-2.5-net/net/x25/af_x25.c      2003-08-05 12:14:42.000000000 -0700
@@ -350,8 +350,11 @@ void x25_destroy_socket(struct sock *sk)
                sk->sk_timer.function = x25_destroy_timer;
                sk->sk_timer.data     = (unsigned long)sk;
                add_timer(&sk->sk_timer);
-       } else
-               sk_free(sk);
+       } else {
+               /* drop last reference so sock_put will free */
+               __sock_put(sk);
+       }
+
        release_sock(sk);
        sock_put(sk);
 }
@@ -553,7 +556,7 @@ static int x25_release(struct socket *so
                case X25_STATE_2:
                        x25_disconnect(sk, 0, 0, 0);
                        x25_destroy_socket(sk);
-                       break;
+                       goto out;
 
                case X25_STATE_1:
                case X25_STATE_3:
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [PATCH] Fix use after free in AX.25, Stephen Hemminger
Next by Date:  Re: e100 "Ferguson" release, Felix Radensky
Previous by Thread:  [PATCH] Fix use after free in AX.25, Stephen Hemminger
Next by Thread:  Re: [PATCH] Fix X.25 use after free., James Morris
Indexes:  [Date] [Thread] [Top] [All Lists]